病毒名称:
Worm.NetSky.f.enc
类别: 蠕虫
病毒资料:
破坏方法:
病毒:"网络天空"变种
蠕虫病毒,采用PE Pack v1.0压缩,VC++编写
一旦执行,病毒将执行以下操作:
1.本地首先将创建一个名为:"LK[SkyNet.cz]SystemsMutex"的互斥量来保证只运行病毒的一个副本;
2.病毒体内有如下字符串:
"Skynet AntiVirus - Bagle - you are a looser!!!!"
3.复制自己到windows目录下:
%WINDIR%\svchost.exe;
4.添加如下键值:
"Zone Labs Client Ex" = "%WINDIR%\svchost.exe -antivirus service"
到注册表键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 下,这是病毒自启动的伎俩;
病毒将删除下列注册表键值:
删除键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
下的如下键值:
"Taskmon"
"EXPlorer"
"KASPerskyAV"
"system."
"msgsvr32"
"DELETE ME"
"service"
"Sentry"
"Windows Service Host"
删除键:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
下的如下键值:
"Explorer"
"KasperskyAV"
"system."
"d3dupdate.exe"
"au.exe"
"OLE"
"Windows Service Host"
"gouday.exe"
"rate.exe"
"sysmon.exe"
注:
其中:"KasperskyAV"是病毒 Worm.Mimail.t建立的键值
删除键:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
删除子键:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
注:
这是病毒"SCO炸弹"建立的键值
5.病毒从带有下列扩展名的文件中搜索Email地址:
".eml"
".txt"
".PHP"
".pl"
".htm"
".Html"
".vbs"
".rtf"
".uin"
".asp"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"
".dhtm"
".cgi"
".shtm"
6.病毒使用自带的SMTP引擎向上面搜到的Email地址发送带毒邮件:
邮件带有如下特征:
标题为下列之一:
"Re: Re: Document"
"Re: Re: Thanks!"
"Re: Thanks!"
"Re: Your document"
"Re: Here is the document"
"Re: Your picture"
"Re: Re: Message"
"Re: Hi"
"Re: Hello"
"Re: Re: Re: Your document"
"Re: Here"
"Re: Your music"
"Re: Your software"
"Re: Approved"
"Re: Details"
"Re: Excel file"
"Re: Word file"
"Re: My details"
"Re: Your details"
"Re: Your bill"
"Re: Your text"
"Re: Your archive"
"Re: Your letter"
"Re: Your prodUCt"
"Re: Your website"
消息正文为下列之一:
"Your document is attached."
"Here is the file."
"See the attached file for details."
"Please have a look at the attached file"
"Please read the attached file."
"Your file is attached.
附件名为下列之一:
"your_document.pif"
"document.pif"
"message_part2.pif"
"your_document.pif"
"document_full.pif"
"your_picture.pif"
"message_details.pif"
"your_file.pif"
"your_picture.pif"
"document_4351.pif"
"yours.pif"
"mp3music.pif"
"application.pif"
"all_document.pif"
"my_details.pif"
"document_excel.pif"
"document_word.pif"
"my_details.pif"
"your_details.pif"
"your_bill.pif"
"your_text.pif"
"your_archive.pif"
"your_letter.pif"
"your_product.pif"
"your_website.pif"
该病毒不会向包含下列字眼的地址发送邮件:
"icrosoft"
"antivi"
"ymantec"
"spam"
"avp"
"f-secur"
"itdefender"
"orman"
"cafee"
"aspersky"
"f-pro"
"orton"
"fbi"
"abuse"
"messagelabs"
"skynet"
"andasoftwa"
"freeav"
"sophos"
"antivir"
"iruslis"
7.在2004年3月2日的上午6:00-9:00将导致系统扬声器发声,频率随机.
病毒的清除法:
使用光华反病毒软件,彻底删除。
病毒演示:
病毒FAQ:
Windows下的PE病毒。
发现日期:
2004-3-4